Yep, the writing of the article is a bit sloppy, a few corrections:

• There's no vulnerability in the protocol itself, rather, it's a bug in the clients implementing the protocol.
• I wouldn't categorize this as a "Major" vulnerability since clients can detect a malicious coordinator performing this sort of attack.

Overall, it's good that there's multiple teams implementing the protocol in open source projects, allowing these sorts of issues to be caught.