From 4f168a035a6945a0c303bad80cee9c870a502434 Mon Sep 17 00:00:00 2001
From: Sowmayjain <champ.sowmay@gmail.com>
Date: Fri, 12 Apr 2019 17:29:47 +0530
Subject: [PATCH] Added: non-owners can't wipe / lock other's CDP.

---
 contracts/ProxyLogics/InstaMaker.sol | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/contracts/ProxyLogics/InstaMaker.sol b/contracts/ProxyLogics/InstaMaker.sol
index f05c67d..b8e6d48 100644
--- a/contracts/ProxyLogics/InstaMaker.sol
+++ b/contracts/ProxyLogics/InstaMaker.sol
@@ -125,13 +125,17 @@ contract CDPResolver is Helpers {
     }
 
     function lock(uint cdpNum) public payable {
-        bytes32 cup = bytes32(cdpNum);
-        address tubAddr = getSaiTubAddress();
         if (msg.value > 0) {
+            bytes32 cup = bytes32(cdpNum);
+            address tubAddr = getSaiTubAddress();
+
             TubInterface tub = TubInterface(tubAddr);
             TokenInterface weth = tub.gem();
             TokenInterface peth = tub.skr();
 
+            (address lad,,,) = tub.cups(cup);
+            require(lad == address(this), "cup-not-owned");
+
             weth.deposit.value(msg.value)();
 
             uint ink = rdiv(msg.value, tub.per());
@@ -188,6 +192,9 @@ contract CDPResolver is Helpers {
 
             bytes32 cup = bytes32(cdpNum);
 
+            (address lad,,,) = tub.cups(cup);
+            require(lad == address(this), "cup-not-owned");
+
             setAllowance(dai, getSaiTubAddress());
             setAllowance(mkr, getSaiTubAddress());
             setAllowance(dai, getUniswapDAIExchange());