`transfer_from` looks up the wrong allowance

[drozdziak1]

trafficstars

In current state transfer_from executes against an Allowance entry with to as the spender side , which is wrong. The spender side should be verified against the sender of the transaction, and to should be allowed to be any address.

As a result anyone can use up an existing allowance to send the amount from the allowing party to the spender, and if Alice allows Bob to spend X, only a transfer_from by Bob from Alice to himself for amount X is ever going to be anywhere near the valid behavior.