docs: fix FAQ about excess USDC - warn it can be extracted via flash loan

[devin-ai-integration]

Summary

Fixes a misleading FAQ entry that incorrectly stated excess USDC "cannot be borrowed." In reality, excess USDC (actual balance - poolBalance) can be extracted by anyone via flash loan because the repayment check only verifies balanceAfter >= poolBalance, not balanceAfter >= balanceBefore.

The updated FAQ now warns users about this risk and recommends calling sync() immediately after any direct transfers to protect excess funds.

Review & Testing Checklist for Human

• Verify the technical claim is accurate by reviewing the contract's repayment check in src/LIQFlashYul.sol lines 167-176 (should be if lt(mload(0x00), poolBal) { revert })
• Consider if this warning should also be added to SECURITY.md for visibility

Test plan: This is a documentation-only change. Review the wording for clarity and technical accuracy.

Notes

This issue was identified during discussion about Issue #12 (excess USDC security concern). The previous FAQ was misleading - while amount <= poolBalance prevents borrowing MORE than poolBalance, it doesn't prevent extracting excess funds via reduced repayment.

Link to Devin run: https://app.devin.ai/sessions/861106c4151b439ebcb344694d9b611a
Requested by: Player 53627 (github.stagnate430@passmail.com) / @igor53627

[devin-ai-integration]

Original prompt from Player 53627

is there anything we can make better in the repo?


You only need to look in the following repo: igor53627/liq

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4260f41

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}