- The server sends all puzzle information, including the solution, to the client
- The client is responsible for validating your moves
- The client is also responsible for telling the server whether you have solved the puzzle or not.
However, the client does the 3rd step by just sending a request with some formdata, which has a key called "win". Basically, the client does not send your sequence of moves to the server to have the server verify them but directly sends whether you solved the puzzle or not.
Many, including me, have discovered this bug independently and tried to report it to Lichess. I've tried contacting Lichess 2-3 years back when I originally discovered this, but Lichess has always responded with "puzzles aren't competitive; exploiting them doesn't matter." (https://github.com/lichess-org/lila/issues/16393#issuecommen...)
Admittedly, they are correct: puzzle rating doesn't really matter. So, here's a little web app I made to exploit this. You just need to copy and paste your LILA2 cookie from Lichess. Requests are made through a proxy to set the Origin header.
The source code is at: https://github.com/bittere/lisolve