One of the biggest challenges in auditing is quickly ramping up on a system. The faster I can do this, the more time and capacity I have for finding real issues with it. I'm working my way through the extremely popular "Learning to Learn" course on Coursera, in order to help me improve at this.
My notes summarize the course content, and describe specific implications for how to learn and understand a smart contract system more quickly and deeply.
Learning and understanding require a combination of two modes of thought: Focused and Diffuse.
You're in focused mode when concentrating intently on the subject matter. In auditing, I use focused mode when reading a specification, the code base, or any other directed activity intended to help better understand the contract system.
- I can get deeper into focused mode by listening to instrumental music in headphones.
- Close chat apps, enable do not disturb, etc.: The longer you can stay in focused mode without something else grabbing your attention, the stronger your mental model will be, and the deeper your capacity to learn, so
- Having a dedicated space that you use for focused work can help your mind to switch into the mode as well.
This is when your mind is relaxed. After a period of focus, the diffuse mode gives your brain a chance to work in the background:
- solidifying importance connections,
- pruning less important one,
- integrating what you've learned into what you already know.
You might even come up with new insights and/or methaphores to connect the new contract system to similar contracts, or other systems you're familiar with.
Use the Pomodoro technique to itersperse sprints of focus (25 to 30 minutes) and short diffuse mode(5 to 10 minutes).
Going for a run, or a walk, or chatting with a colleague is also a good way to "get diffuse". Social media (for me at least) is not so good, because it often activates my amygdala, which is not conducive for reentering focus mode.
I'd like to take up juggling, I think that's a perfect diffuse activity, and easy to do for just a few minutes. I think there might also be something to activating the brains fine motor control system, for helping to solidify learning.
When I have a really big, complex system to audit, I sometimes find it hard to start on it. Procrastination is a result of your brain's pain centers activating when you just think about doing something un-pleasant.
Fortunately research has demonstrated that just getting started tends to reduce the pain reaction.
Find an easy, bite sized way to get started. For me this often means printing out the spec, or some other documentation, then sitting down with a pen to mark up the doc with my thoughts and questions.
Simply reading something isn't enough. You have to Read Actively. This applies to reading code too.
Quickly skim over the full doc, or a section of it, before reading more carefully. This will give you a lay of the land, to fit the smaller chunks into when you start reading more carefully. When first approaching a codebase, try to get a rough sense of the major components before diving deeper into a specific on:
- What are the final derived contracts that will be deployed?
- What is the storage layout of the derived contract?
- Which 'mixin' contracts are inherited by the deployed contracts?
- What is the purpose of each mixin contract? Why were its storage values and functions separated form the rest of the system?
One of the best ways to retain and understand what you read is to read a section, then look up and try to recall what you just read. For specific parts of a code base:
- Look at a function, then try to recall the inputs, outputs, and how those are computed. Does the function have any side effects? What conditions should cause the function to revert or throw?
- Look at the storage variables, then look away. Try to write down all the variable names and types. What is their purpose? Are their names a good description? How are these variables related? What could be the consequences if an unauthorized address could overwrite them?
On paper, it's common to underline and highlight. This is not very effective. It's more useful to add your own notes, insights and questions in the margins. This encourages you to actually consider, process and integrate the information.
Extending this to code: In an audit I often add short comments indicating a line I don't understand the purpose of, or something I think might present a risk. It would probably be more effective to write longer comments, about a block of code (like an if/else, or a short function).
If you're not reading actively, re-reading isn't much use. It's like pouring water through a sieve more than once.
Guess what? You need it.
Apparently when you sleep, your brain cell shrink, which leaves space for toxins to be washed away. Or something like that. That's why a sleep deficit is cumulative.
Yes, that helps too. Excercise helps the mind get into diffuse mode, and make connections between different ideas.