Even if your server is not vastly more powerful, your 1 second of proof-of-work means a single server can pass your challenge 3600 times an hour.
The point is: a CAPTCHA has to be something that is easy for humans and hard for bots. This is at best the same level of effort from human('s devices) and bots. And realistically, more, because bots aren't battery-powered. It can't work.
I've had this problem a lot when I use a VPN. You're served a captcha that is impossible (I choose all of the correct squares and it still fails), and then I'm given a captcha with the ultra-slow click and reload images. At this point, I think it's more of an IP rate limiter than a human-bot detector.
but then some other services don't degrade like that and still offer you some easy 2-step puzzle "rotate a pic until panda is not upside down" or "find a panda"
Yes, due to the emergence of better bots, traditional CAPTCHAs aren't very good at being CAPTCHAs anymore either. It's a hard problem to solve, and it's a moving target.
> Even if your server is not vastly more powerful, your 1 second of proof-of-work means a single server can pass your challenge 3600 times an hour.
A decentralized CAPTCHA that reduces an attacker to one request per second is a lot better than nothing! Why are you dismissing this as useless?
At the end of the day, all CAPTCHAs can be circumvented by paying humans to solve them. So all CAPTCHAs have a price, and in this case it’s the price of the power used by the CPU as well as renting the CPU (or the depreciation on a CPU you own).
But it does not. It reduces it to 1 request per second, at least, per core, per machine that the attacker control. A single attacker can still send millions of requests per hour at very low cost, limited only by compute resources, which is what CAPTCHA is supposed to work around (by challenging the human not the machine).
Similarly how many security features work, it doesn't have to be 100% (or it may even be impossible to make it 100%), it just has to be good enough/make the attack expensive enough to deter it. There aren't really any easy task left for humans that a suitably trained ML algorithm couldn't do, and anything more complex would just annoy people. Even if there is such a task, the line moves quickly -- back then reading some colored digits from an image was unfeasibly hard/expensive for bots. Nowadays your phone extracts text from your images in the background.
In this vein, anything requiring ML/expensive computation is still a worthwhile addition, as today the primary purpose of a CAPTCHA is to slow down/rate limit bot-activity. Your single server use case is not really realistic -- it can be easily reverted (it won't come from 3600 IP addresses, otherwise the rate would be much lower), and 3600 times an hour is.. not a lot for a computer. So it seems to do its job well.
The point is: a CAPTCHA has to be something that is easy for humans and hard for bots. This is at best the same level of effort from human('s devices) and bots. And realistically, more, because bots aren't battery-powered. It can't work.