Upgradable by Hats governance
Immutable Owners can be changed with the default timelock (3 weeks)
Oracles Hats protocol does not rely on oracles. Vault token value are displayed for better UX only.
Front run attacks mitigation Hats deposits have a withdrawal request period (currently set to 7 days) which prevent the depositors from front running the bounty payout function call. In addition to that the pendingApprovalClaim function that pauses the withdrawals in order to pay a bounty can be called only in a safety period(1 hour twice a day) a period where withdrawals are disabled. So even a depositor that have an active withdrawal request cant frontrun the bounty payout.
Timelock Timelocks are handled by HATTimelockController contract that is based on openzeppelin-solidity/contracts/governance/TimelockController.sol default timeout is set to 3 weeks. Flashloans Hats functions are not susceptible to flashloans. Hats vaults swapBurnSend function can only be called by governance therefore it is not susceptible to price manipulation attack.
Pause controls Hats contracts don't have pause controls. Hats vaults withdrawals cannot be stoped only deposits can be paused by Hats governance.