Developer of the contract can hide the code. Developers of a dApp publish their code and contract address to etherscan.io for everyone to have a look at it and audit. This creates some sort of trust for the project but, there is a way using which the developer can hide the malicious code.
This kind of attack may fool many of the auditors out there. So, one good solution is to review the code for any external unverified address called via the constructor.