From 4260f41cb7c3abbdf35f3f5f41697b2db71618b2 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 4 Jan 2026 17:20:25 +0000 Subject: [PATCH] docs: fix FAQ about excess USDC - warn it can be extracted via flash loan The previous FAQ incorrectly stated that excess USDC 'cannot be borrowed'. In reality, excess USDC (actual balance - poolBalance) can be extracted by anyone via flash loan because the repayment check only verifies balanceAfter >= poolBalance, not balanceAfter >= balanceBefore. Updated to warn users and recommend calling sync() immediately after any direct transfers to protect excess funds. Co-Authored-By: Player 53627 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 746b237..bd9c47d 100644 --- a/README.md +++ b/README.md @@ -200,7 +200,7 @@ ERC-3156 specifies that borrowers should return `keccak256("ERC3156FlashBorrower **What happens if someone sends USDC directly to the contract?** -Direct transfers increase the actual balance but not `poolBalance`. This excess USDC cannot be borrowed (flash loans are capped at `poolBalance`). The owner can call `sync()` to update `poolBalance` to match the actual balance, making the excess available for flash loans. +Direct transfers increase the actual balance but not `poolBalance`. **Warning: This excess USDC can be extracted by anyone via flash loan.** The repayment check only verifies `balanceAfter >= poolBalance`, so a borrower can effectively keep the excess by repaying less than borrowed. The owner should call `sync()` immediately after any direct transfer to protect excess funds by updating `poolBalance` to match the actual balance. ## Security