I overlooked the appearance of this paper late last year by Leo Alcock and Ling Ren:
Quoting the abstract:
Proof-of-work (PoW) has recently become the backbone of cryptocurrencies. However, users with Application Specific Integrated Circuits (ASICs) can produce PoW solutions at orders of magnitude lower cost than typical CPU/GPU users. Memory-hard PoWs, i.e., PoW schemes that require a lot of memory to generate proofs, have been proposed as a way to reduce the advantage of ASIC-equipped users. Equihash is a recent memory-hard PoW proposal adopted by the cryptocurrency Zcash. Its simplicity, compact proof size, and tunable parameters make it a good candidate for practical protocols. However, we find its security analysis and claims are flawed. Most importantly, we refute Equihash’s claim that its security is based on Wagner’s algorithm for the generalized birthday problem. Furthermore, no tradeoff-resistance bound is known for Equihash, and its analysis on the expected number of solution is incorrect. Our findings do not expose any immediate threat to Equihash. The main purpose of this short note is to raise awareness that Equihash should be considered a heuristic scheme with no formally proven security guarantees.