Seems kind of pointless puzzle if when you do find a solution someone else can just rob the coins off you by spam attacking and kangaroo attack.
Well, there is a way to fix it, but unfortunately, it requires OP_CAT. Because in general, if it would be possible to claim the puzzle with any public key, for which OP_HASH160 gives some value below a given target, then it would require the same effort, but could no longer be solved by Kangaroo or other similar attacks, because then nobody would know the starting point.
Also, I shared the script for doing that kind of puzzle for public keys:
4. Provably fair transaction puzzles:
Input script: "<signature> <pubkeyTail>"
Output script: "<pubkeyHead> OP_SWAP OP_CAT OP_CHECKSIG"
Execution:
<signature> <pubkeyTail> <pubkeyHead> OP_SWAP
<signature> <pubkeyHead> <pubkeyTail> OP_CAT
<signature> <pubkey> OP_CHECKSIG
OP_TRUE
Then, if you pick for example 0xbadc0ded as your <pubkeyHead>, then people could mine a public key, starting with x-value equal to 0xbadc0ded, and that would be a proof, that someone can break 32-bit public keys. Of course, any non-zero pattern will do (the only reason why zero will not work, is the half of the generator).
Which means, that if you want to do the same thing with OP_HASH160, then after a small modification, it should also work, when OP_CAT would be activated:
Input script: "<signature> <pubkey> <hashTail>"
Output script: "<hashHead> OP_SWAP OP_CAT OP_OVER OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG"
Execution:
<signature> <pubkey> <hashTail> <hashHead> OP_SWAP
<signature> <pubkey> <hashHead> <hashTail> OP_CAT
<signature> <pubkey> <hashOne> OP_OVER
<signature> <pubkey> <hashOne> <pubkey> OP_HASH160
<signature> <pubkey> <hashOne> <hashTwo> OP_EQUALVERIFY
<signature> <pubkey> OP_CHECKSIG
OP_TRUE
As many people already noticed, a lot of problems could be solved, if we only would have OP_CAT. But I still wonder, if it would be activated or not.