How Segwit handles SIGHASH_SINGLE bug?

[garlonicon]

I know for old addresses, SHA-256 value of one is used. But is it the case for Segwit? As far as I understand https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#cite_note-7 it should work for zero instead of one, right? But when I am trying to use z=0 in my signature, Bitcoin Core says it is invalid. Also, the same signature as for non-Segwit address is invalid, so z=1 is not the case. So: is it possible to spend P2WPKH output with SIGHASH_SINGLE, when there is no matching output index for a given input? Is it relayed by default if broadcasted? Is it nonstandard, but valid somehow? How this bug works for Segwit addresses? Or is it fixed and there is no way to use SIGHASH_SINGLE in Segwit addresses without matching output?

[gmaxwell]

https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#specification

The only thing set to zero is the hashOutputs portion of this.

If the entire 'hash' were set to zero, someone could instantly steal anyone's coins, which is presumably what you were trying to do instead of ethically reporting a vulnerability you believed you found.

[pooya87]

Also it is not a bug, it is a feature.
It has always been well known how out of range indexes for SIGHASH_SINGLE work, calling it a bug is like saying sending your coins to an output script equal to OP_TRUE (that anyone can spend) is a bug!

[garlonicon]

If the entire 'hash' were set to zero, someone could instantly steal anyone's coins

How?

which is presumably what you were trying to do instead of ethically reporting a vulnerability you believed you found

What is that vulnerability? Is the case when z=0 somehow more dangerous than z=1? If it is, I didn't expect that, so I don't know what should I "ethically report".

Also it is not a bug, it is a feature.

If it is a feature, then why it does not work in the same way as for non-Segwit addresses? And if it is a feature, then why it is disabled in Taproot? Ability to move any coins connected with some public key by reusing the same signature sounds like a bug for me.

[pooya87]

Ability to move any coins connected with some public key by reusing the same signature sounds like a bug for me.

That's not how it works, if the SIGHASH is changed (eg from ALL to SINGLE), the previous signature is no longer valid. You have to willingly and knowingly sign the transaction with the specified SIGHASH and publish it. That makes it a feature not a bug.
I already gave you the example with sending coins to OP_TRUE, another one is sending your coins to P2SH-P2TR (wrapped Taproot), anyone can spend your coins if you do that and they know your script. That is a known feature and can't be called a bug.