Yes, they did. This was not the goal of the bounty, but was still a serious issue. They couldn't give away the prize for the contest and instead decided on a still quite generous $100,000.
Yeah. In essence, it made their nominally end-to-end encrypted secret chat feature no more secure than simply giving the Telegram server operators a plaintext copy of every message you sent and trusting them not to log, read or tamper with it.
Worse, it's the kind of flaw you'd expect someone subtly sabotaging the protocol to create. It's a small, superficially plausible modification that turns an apparently secure scheme into something completely broken. Yet if they'd made that modification in the obvious way - by combining the nonce and Diffie-Hellman result with a secure hash function - it wouldn't have caused the problem; for the vulnerability to exist the nonce has to be handled in a very particular way.
Vulnerability to passive attacks is worse than vulnerability to active attacks. I'm not downplaying the severity of a MITM vulnerability, but certainly there could exist more serious issues.
http://telegram.org/crypto_contest