With over 80% of the hacks in 2022 resulting from exploited DeFi protocols, it is of the utmost importance that white hats stay on top of the latest hacks and research. Oftentimes, staying on top of the field means learning a lot of new material in a very quick time frame, especially if you’re in the war room with a protocol who’s suffered a major hack. In addition, it is incredibly important to remain optimistic and believe in one’s own learning capacity to continue to function effectively in the field against black hats. In these various complex learning scenarios in web3sec, it’s incredibly important to approach them with a growth mindset, otherwise you risk repeating the same mistakes, experiencing overwhelm and frustration, even eventual burn out from the field entirely.
In this blog post, I’ll go over what a growth mindset is (as opposed to a fixed mindset), practical strategies for continuous learning with a growth mindset, tactics for frustration management during the learning process, and more. These learning and mindset challenges are normal. However, believing that you are smart by default (fixed mindset) can prevent you from getting gritty and learning to see your mistakes as opportunities for improvement.
In my own words, based on this course, growth mindset is a set of mental framework beliefs that enable one to surpass their pre-conceived limitations and embrace their own ability to change and adapt in order to learn a variety of topics or concepts. For example, growth mindset leads to more resilience and grit in the face of challenges as they are seen as temporary, whereas with a fixed mindset, these challenges become insurmountable in the mind, leading to poor performance facing them.
In the course, I learned that many learners who believe they are naturally good at something will hesitate when presented with challenging material in their field because they believe it should come naturally, rather than through hard work. Whereas, those who embrace these challenges and believe in their capacity to learn outperform those with the ‘natural abilities’. They expect challenges and greet them as opportunities.
Fixed Mindset consists of believing you are born a certain way and cannot change. You are either a math person, for example, or not. Nothing will change this for you. This the opposite of the growth mindset. Growth mindset says that you can learn anything. It allows you to value the process of learning regardless of the outcome. In a growth mindset, presenting yourself with challenges results in taking action to ameliorate your learning gaps. You can - with this attitude of adaptability - start a study group, ask for help from your peers, revisit your mistakes with curiosity instead of judgement. You can learn anything you set your mind and resources towards. Whereas, in a fixed mindset, you are either good at something or bad at it with no room for improvement.
In web3sec, there is an evolving threat landscape. This landscape means that white hats must face new challenges very fast and new threats, threat actors, and hacks are being invented constantly and executed against unsuspecting protocols and web3 projects. Between competitive audits, bug bounties, and manual audits, there are still gaps in coverage. It is an absolute must to be vigilant to these gaps and to learn about the increasingly secure ways to conduct ourselves as white hats in web3. In some cases, we may be frustrated, demoralized, or face persistent, daunting challenges in web3sec.
As a result of this evolving threat landscape, it is a requirement to be persistent in the face of difficulties for security researchers. Whether it is in learning new DeFi concepts or in tracking down and investigating rug pulls, growth mindsets facilitate creative and quick problem-solving by encouraging us to be malleable and persistent against these on-going challenges. It is equally important to maintain a curious, hopeful approach that both respects the developers of the project and also facilitates improvements by discovering vulnerabilities that can be patched while auditing.
Missing vulnerabilities in an audit that later get exploited is a painful experience, but it is important to remember we are all learning and growing in our intentions to protect the future of the Internet. We must take these learning opportunities seriously, but also learn from missed opportunities and mistakes effectively, so we do not repeat them in the future. This involves being proactive with examining our mistakes and making an effort to learn how to ameliorate them in the future, which we can do continuously if we believe we can learn anything, i.e. adopt a growth mindset.
Much of web3sec is reading post-mortems of big hacks, past audit reports on solodit.xyz, and constantly learning from the best in the field how to improve our auditing process and mental model for auditing or keeping up to date on newer courses released such as JohnnyTime’s Smart Contract Hacking with Hardhat and Solidity course or Patrick Collin’s Cyfrin Updraft courses on Foundry, Security and Auditing, and Assembly and Formal Verification or Guardian Audits Open Source Security Course. It is important to have the stamina to continuously learn about the latest best practices in the field and prevent burnout with self-care and good mindset practices.
It is so important to embrace any challenges in learning and adapt to your own particular learning style to teach yourself the newest and latest and greatest strategies for protecting protocols and web3 projects. One may test one’s learning style in various ways, here are some examples of tests that may help you become a more self-aware learner by learning your learning style:
Once you understand your learning style, you can tailor your learning strategies specifically to yourself.
Quickening the feedback cycle is important. The faster you have feedback, the quicker you can synthesize your learnings into actionable insights. In learning, we must synthesize and retain what we have learned, so it is important to do a learnings post-mortem. Here’s how:
Simply ask yourself the following questions:
Record your answers and iterate on your learning techniques. Whether you’re using the Feynman technique, spaced repetition, or Pomodoro techniques, learning is a customizable experience that can be honed.
You could use this in an example of testing your ability to find a re-entrancy bugs in various codebases on solodit.xyz.
Lucky for us, web3sec is a relatively supportive and friendly community. It is still possible to DM some of the best security researchers with questions and actually get a reply. However, as Patrick Collins explains in his lectures, it is important to respect other people’s time and use your own resources before doing so. This involves asking Ethereum StackExchange, using ChatGPT, or Gemini, or other AI tool that can answer your solidity auditing questions or DeFi topic questions first before reaching out, reading over similar issues on solodit.xyz is helpful as well for context. Always be careful to make sure to double check your information from these AIs as they tend to hallucinate. Also, if you need, the community is usually very friendly and willing to reach back and answer questions, too.
Managing frustration in the learning process can be a whole dissertation, however, I will address the basics that apply to a growth mindset. Take a break. Take a walk. Take a deep breath. Remember your ‘why’ helps too. Remember ‘why’ you are doing this will help you stick to your goals.
Using SMART goals in your learning is also incredibly beneficial. This means setting realistic, achievable goals for your continuous learning is crucial to avoid burnout. If you are unfamiliar with SMART goals, they are Specific, Measurable, Achievable, Relevant, Time-Bound goals. For example, one might set a goal of learning to spot logic error bugs within a specific codebase in order to be able to audit logic error bugs in the future. Set a goal of learning this within a week and it is a SMART goal for an experienced smart contract developer.
There are many mindset exercises that one can do, but the particularly effective one I’ve found is visualization. Visualize yourself succeeding at learning for a good 5 minutes, then proceed to learn.
In conclusion, we’ve discussed a growth mindset, fixed mindset, how to deal with frustration, the importance of collaboration and community in learning, as well as effective goal setting in learning with SMART goals and mindset exercises for improving/reinforcing your growth mindset.
I encourage you to integrate these learning strategies into your daily practice as a web3 security researcher and to think more about the meta-learning of learning to adapt to your own specific learning style. Whether you’re learning a new tool or new DeFi hack or new cryptographic material, this mindset will help you synthesize material quicker and be kinder to yourself while doing so.
The long-term benefits of adapting a growth mindset include a positive, optimistic, confident approach to learning anything, a better attitude towards challenges and frustrations, as well as increased chances of persevering in your studies to master material. This mindset also helps you see the ability of others to grow and help them do so by encouraging their learning, normalizing frustration and feedback-giving. So, you get not only a friendlier inner voice when learning and approaching mistakes and frustration over new material and learnings, but you gain friends by helping them with their challenges as well.
For more information on growth mindset, you can explore the Khan Academy LearnStorm course yourself!