The goal of this challenge is to become the steal everyone's money, but there are some checks which needs to be bypassed.
An attacker can give account number of victim on from post parameter and on to parameter attacker can use his account number.As there is no check for verifying that from account is user’s account only.
But we need to verify it too.