This bug became one of my special one not only because it gave me handsome bounty but also because it was not easy to identify.
Observation:
The application was having use case to add more members in admin account which can invite and assign roles to the people respectively.
I found there was some random numbers being generated on PATCH method which also had few roles ID assigned in json body.
Attack:
