Appreciate the feedback 
Apologies, the server ran out of memory.
The demo is indeed hacked to together, but I manually verified it before posting on here. It’s running out of my bedroom as I can’t afford a more stable location to run it. First time running out of memory, so apologies for the inconvenience.
Not necessarily. reCAPTCHA/hCaptcha serve (multiple) challenges by default for visitors from Tor.
mCaptcha implements PoW difficulty scaling, which greatly improves UX. Time taken to generate PoW when the service is seeing regular traffic will be very low(100-200ms). The difficulty ramps up when the site is under attack and will reduce when the attack is contained.
So in essence, the average Tor user will spend more time solving reCATCHA/hCaptcha than they will with mCaptcha.
I’ve conducted experiments which prove mCaptcha’s ability to contain attack. The source code for the experiment is publicly available here. The setup runs an mCaptcha server, a client service and a Locust(locust dot io) DoS client.
In my experiment, I set it up on a single computer(the funding will allow me to simulate DDoS scenarios). Here are the results as reported by Locust:
With mCaptcha protection:
Attack is detected, and difficulty level is increased. Locust reports 0.6 requests/second.
Thanks for reporting it, this patch fixes it, should be deployed once the CI pipeline finises.
I’m more than happy to discuss the technical aspects of mCaptcha. But I posted here to learn more about the needs Tor hidden service sysadmins and to see how I can be of help to them.