The server uses the memory addresses of hash_rpc_context structures as request ids to track work delegated to its clients.
However the verification of any request ids received by the server in client responses is insufficient and the clients may abuse this to overwrite any memory locations that pass simple check for valid hash_rpc_context structure header.
Further, it is possible for the clients to sent arbitrary response data to be stored as data_to_hash member of existing hash_rpc_context structures in server memory.
This allows the clients to craft fake hash_rpc_context structures that pass server checks.
The above may be used to read arbitrary server memory by overwriting hash_rpc_context structure of first_context and next triggering hash_together_the_first_two.
This xors arbitrary memory location with known bytes and sends result as new request to the client.
My exploit uses this to extract content of key_bytes containing the flag.