As stated in the description, this is a one-time pad challenge. One of the criteria of a one-time pad is that the key is never reused in part or in whole. We can modify the program so that it does not meet this requirement.
The significant bug in the otp.py script appears on lines 34-36:
if stop >= KEY_LEN:
stop = stop % KEY_LEN
key = kf[start:]+ kf[:stop]
stop equals the previous ending point of the key plus the length of the new user input. However, if stop is greater than the key length, stop is set to stop % KEY_LEN. Thus, inputting just enough text to get to the end of the keyfile will set stop to 0 because 40000 % 40000 is 0. key_location is then set to stop and key_location is returned. So, when we input the next string to be encrypted the encrypt function will receive key_location=0, thus allowing us to use the same key that was used to encrypt the flag.
Generate a pwntools template with pwn template --host mercury.picoctf.net --port 20266 otp.py.