Only recently, yes. WASM performance is tricky. A memory-heavy algorithm will DoS visitors.
That said, there are protections within mCaptcha to protect against ASICS(PoW result has expiry and variable difficulty scaling), but they are yet to be validated. If they should prove to be insufficient, then I'll try a different approach with memory-heavy algorithms.
Check out the latest revision of the gist. I have added some explanations. Do you think this implementation will work more efficiently or less efficiently? What kind of statistics do you collect in the database? Is there anything interesting in these statistics? Is collecting statistics worth the performance slowdown that occurs? How effective is banning a client by IP/IPv6?
I just want to say - people critique every service out there that slows spam and bots. Those critiques are valid from the "it won't stop everything" view, but it clearly stops a proportion, and the wider variety of products out there the less likely a spammer will have a canned answer for a particular site.
Agreed, it's been an interesting discussion so far with lots of interesting ideas. mCaptcha is a very niche software, that will only work some use cases, but that's okay as long as whoever's deploying it is aware of its drawbacks. :)