I chatted with Alex Gorbachev on email about this issue, privet Alex! and today he has posted the issue to his blog in a post titled "Calling Definer-Rights Procedure as SYSDBA - Security Hole?
". This is summed up as an issue where SYS AS SYSDBA seems to default to invoker rights irrespective of whether the procedure it is executing is definer rights. See Alex's examples for details. I suggested some further tests to Alex to find out if its a SYS issue as well and also to create the definer rights procedure as the lower level user rtaher than as SYS owned by the other user (shouldnt matter). I am not convinced its a security issue as the issue is with SYS AS SYSDBA so you canot escalate higher than that.