Merkle root duration cannot be changed

[cedoor]

Describe the bug

When the merkle root of a group’s incremental merkle tree is updated, the Semaphore contract allows the old root to still be used to verify proofs as long as it is within merkleRootDuration of the root’s creation. The merkleRootDuration is set when a new group is created. However, no validation is performed on merkleRootDuration which could lead to issues such as verifyProof reverting due to an overflow if the value is too large.

Impact

The admin might not know an appropriate value for the merkleRootDuration and may like to change it in the the initial value is inconvenient. In addition, under certain circumstances a poorly chosen value could cause verifyProof to fail.

Additional context

This bug was found by Veridise during their audit of Semaphore. If you acknowledge and fix this bug, can you please mention Veridise in the commit.