I'm not here to report a vulnerability. I was asked for my opinion, and I said I don't like your design.
One specific criticism is that you're using GCM but do not have any sort of Key Commitment in your protocol. That's not a vulnerability, to my knowledge.