Skip to content

docs: fix FAQ about excess USDC - warn it can be extracted via flash loan #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
igor53627 merged 1 commit into from
Jan 4, 2026
Merged

docs: fix FAQ about excess USDC - warn it can be extracted via flash loan #16

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ ERC-3156 specifies that borrowers should return `keccak256("ERC3156FlashBorrower

**What happens if someone sends USDC directly to the contract?**

Direct transfers increase the actual balance but not `poolBalance`. This excess USDC cannot be borrowed (flash loans are capped at `poolBalance`). The owner can call `sync()` to update `poolBalance` to match the actual balance, making the excess available for flash loans.
Direct transfers increase the actual balance but not `poolBalance`. **Warning: This excess USDC can be extracted by anyone via flash loan.** The repayment check only verifies `balanceAfter >= poolBalance`, so a borrower can effectively keep the excess by repaying less than borrowed. The owner should call `sync()` immediately after any direct transfer to protect excess funds by updating `poolBalance` to match the actual balance.

## Security

Expand Down