There are many ways a decentralized protocol can be hacked or exploited. Most of the time, the protocol is not entirely decentralized and centralized aspects such as centrally-hosted websites, APIs or servers can be abused in some manner. There are, however, many times where smart contracts contain unknown vulnerabilities, and hackers may discover these and abuse them as they see fit.
A developer may also intentionally introduce vulnerabilities into their own application or grant themselves administrative privileges in order to steal incoming users' funds, in which case the project would be considered a rug pull or an outright scam.