TL;DR `<<user_key:128>>` is a deadly security issue - keeps 128 least significant bits only.

I've written a highly detailed writeup of the challenge and how we utilized this issue to recover the internal authorization key of the system.

You can read it here: https://lior.gg/posts/2024/hitcon/gleamering_star/

P.S accidentally set the description of the challenge in CTFtime to be a description of our writeup - CTFTime doesn't let me edit it :(