docs: audit triage - update SECURITY.md and add audit report

[devin-ai-integration]

docs: audit triage - update SECURITY.md and add audit report

Summary

Processes the AuditAgent security audit report (Scan ID: 26, January 4, 2026) and updates documentation accordingly. This PR:

1. Updates SECURITY.md to reflect audited status and removes the non-existent email contact
2. Adds the full audit PDF report to audits/ directory
3. Documents responses to all 15 audit findings in audit_responses.md
4. Fixes TestBorrower vulnerability (Issue [Security][High][TestBorrower] Arbitrary lender injection allows draining USDC #19) - hardens the example contract against arbitrary lender injection

GitHub issues created for audit findings - all resolved:

• #18: Excess USDC extraction (Medium) - Closed as design decision
• #19: TestBorrower lender injection (High - example code) - Fixed in this PR
• #20: Missing ERC20 return value checks (Info) - Closed as future version improvement
• #21: Missing events (Best Practices) - Closed as gas optimization design decision

Updates since last revision

• Issues [Security][Info][LIQFlashYul] Missing ERC20 return value checks - USDC upgrade risk #20 and [Best Practices][LIQFlashYul] Missing events for critical state-changing operations #21 closed: User confirmed these are intentional design decisions:
  • [Best Practices][LIQFlashYul] Missing events for critical state-changing operations #21: Events omitted to save gas in Yul implementation
  • [Security][Info][LIQFlashYul] Missing ERC20 return value checks - USDC upgrade risk #20: ERC20 return value checks can be added in future redeployment (contract is stateless, redeployment is low-friction)
• audit_responses.md updated: All 15 findings now fully triaged with clear status

Review & Testing Checklist for Human

• Verify TestBorrower security fix is correct - Review the new validation checks in onFlashLoan(): initiator, token, and amount validation. Ensure these prevent the arbitrary lender injection attack described in Issue [Security][High][TestBorrower] Arbitrary lender injection allows draining USDC #19
• Confirm all issue closures are appropriate - Verify you agree with closing [Security][Medium][LIQFlashYul] Excess USDC can be extracted via flash loan (front-runnable sync) #18, [Security][Info][LIQFlashYul] Missing ERC20 return value checks - USDC upgrade risk #20, [Best Practices][LIQFlashYul] Missing events for critical state-changing operations #21 as design decisions
• Verify false positive classifications - Finding Optimization: Pack owner+treasury in single storage slot #4 (Yul return statements) and [Security][Medium][flashLoan] Excess USDC above poolBalance can be stolen via flash loan #12 (unused state variables) are marked as scanner misunderstandings

Test Plan

1. Review the TestBorrower.sol diff to verify the security fix logic
2. Optionally run forge test to ensure no regressions (note: fork tests may fail without RPC)
3. Review audit_responses.md classifications against the audit PDF

Notes

• The invariant wording changed from "must always equal" to "should equal" - intentional to reflect that direct transfers can cause temporary desync
• TestBorrower is example/test code, not deployed production code, but was fixed to prevent copy-paste vulnerabilities
• The audit PDF is ~4MB binary file

Link to Devin run: https://app.devin.ai/sessions/861106c4151b439ebcb344694d9b611a
Requested by: Player 53627 (github.stagnate430@passmail.com) / @igor53627

[devin-ai-integration]

Original prompt from Player 53627

is there anything we can make better in the repo?


You only need to look in the following repo: igor53627/liq

[changeset-bot]

⚠️ No Changeset found

Latest commit: eb21019

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}