diff --git a/README.md b/README.md
index 59def79..0102fc7 100644
--- a/README.md
+++ b/README.md
@@ -34,3 +34,7 @@ block number the fork starts from. If it starts from an old state some tests mig
 `npm run test [network] [test-file]` - run a test to the specified network by calling the script from the `/test` folder
 
 `npm run verify [network] [contract-name]` - verify contract based on address and arguments from `/deployments` folder
+
+## Remarks
+
+- `Exchange.sol` in the `_swap` function we are calling low level function `call` with arbitrary address and call data, which may impose some security threats, however by design the `Exchange` contract does not hold any founds and is used only as proxy to Exchange (1inch) and collecting fees. Thus calling `call` in our case is safe and does not expose us or our users to theft of funds. 
diff --git a/contracts/multiply/Exchange.sol b/contracts/multiply/Exchange.sol
index 6db2f2a..4ee0f06 100644
--- a/contracts/multiply/Exchange.sol
+++ b/contracts/multiply/Exchange.sol
@@ -85,6 +85,8 @@ contract Exchange {
     bytes calldata withData
   ) internal returns (uint256) {
     IERC20(fromAsset).safeApprove(callee, amount);
+    // In general we shouldn't call arbitrary address with arbitrary data. This would be a security risk,
+    // However in this case by design the Exchange contract does not hold any funds, so there is nothing to be stolen.
     (bool success, ) = callee.call(withData);
     require(success, "Exchange / Could not swap");
     uint256 balance = IERC20(toAsset).balanceOf(address(this));