Source: training Module 2. Blind audit of Code4rena 2022-12-Escher; graded vs the published report (3 High, 13 Med). I solidly caught ~8/16 (the mechanical-adjacent logic: overflow, downcast, gas-stipend, deadline, partial-sale) but MISSED the adversarial refund-theft High and BOTH access-control "rug" Mediums, and under-rated every High. The misses distill into 3 reusable heuristics. These target the manual/logic layer the scanners miss (our actual edge, per the operator).
I proved LPDA refund accounting conserved for normal buys, declared it sound, and STOPPED -> missed H-03 (a malicious receiver extracts buyers' refund overpayments by calling buy(amount=0) AFTER the sale ends). RULE: for every value-moving function, after checking the happy path, explicitly feed: amount=0 / dust / max; call it AFTER the terminal state (sale ended, finalized, paused); and call it AS the privileged/receiver party. Ask "what does a MALICIOUS actor EXTRACT," not "does the honest path balance." Happy-path conservation is a necessary, not sufficient, proof.
I verified each function was role-gated and found no missing-modifier High -> but missed M-11 (a creator keeps admin over the sale's MINTER_ROLE and can REVOKE it mid-sale to brick/virtually-cancel) and M-13 (Escher721 mixes OwnableUpgradeable + AccessControl, so the owner can transfer ownership and bypass CREATOR_ROLE intent). RULE: enumerate every privileged role/owner, then for each ask "what can a LEGITIMATE holder DO to harm users or break invariants?" - revoke/re-grant a role a live flow depends on, transfer ownership, pause, reinitialize, upgrade. And flag any contract with TWO authority systems (Ownable + AccessControl) - they create bypass seams.
I rated selfdestruct-funds-lost (H-01) and getPrice underflow-bricks-contract (H-02) as Low/Med; the report rated both High. RULE: if the outcome is PERMANENT fund loss, permanent fund lock, or a permanently bricked contract, default to High regardless of how "edge" the precondition feels (bad settings, a contract recipient, a specific timing). Reachability lowers it only if the precondition is genuinely unreachable, not merely unusual. Calibrate against the impact, not the exotic-ness of the trigger.
Missed M-01 (documented setTokenRoyalty never exposed) and M-05 (fee charged on cancel-before-start, contra intent) because I never read the docs. Intended-vs-actual and documented-but-absent functionality are findings.
Correctly dismissed slither's reentrancy-no-eth on FixedPrice.buy as a FALSE POSITIVE by confirming
Escher721.mint uses _mint (no onERC721Received callback). The scanners flag the mechanical shape; manual review
confirms reachability. That triage is the value-add - keep doing it, but pair it with H1/H2 to catch what the
scanners never raise at all.