Check out in hs_desc_intro_point_v3_token_table[] how we make enc_key_cert and legacy_key_cert optional (OBJ_OK) yet in decode_introduction_point() we assert if either of them are missing. These lines are inside the encrypted part so the HSDir itself is immune from asserting. I believe the HSDir cannot substitute its own evil hs desc (that is, it cannot do the attack itself), because the client wouldn't be able to decrypt it -- so the attack requires the attacker to get the victim to try to visit the evil onion address (but of course it could be a more subtle visit like sticking an image href to it in some webpage). Bug found while working with a nice person who does not request credit.