the way for the attacker to check if you actually did the mistake, is by computing: d = z(s-r)-1
No just to see if r equals the x coordinate of the public key.
Oh, OK - that's much easier then.
Still unlikely to happen, thought equally likely as picking up zero...
So you might have some point here, because EC-Verify functions from the crypto libs I've seen, they all check the k for zero, but not for d...