Description

Lack of input validation in the constructor on the _txExpirationPeriod parameter may lead to failed redemptions.

Impact

The variable txExpirationPeriod is included as an anti-slippage measure during redemptions as it limits the amount of time a transaction can be included in a block. Mistakenly setting the _txExpirationPeriod to 0 or a low value may cause transactions to revert which will block user redemptions.

It is evident from Ionic Protocols' deploy script and tests that they have considered this issue and have appropriately set a _txExpirationPeriod time of +40 minutes. Therefore we do not believe this has a security impact presently, but it may lead to future bugs.

Recommendations

Consider including a require statement in the constructor to impose a minimum threshold for _txExpirationPeriod. The Jarvis documentation recommends setting the expiration period to +30 minutes in the future to account for network congestion.

Remediation

The issue has been fixed by Ionic Protocol in commit 782b54↗.